Академический Документы
Профессиональный Документы
Культура Документы
2
Objectives
3
What Are Firewall Policies?
• Policies define:
o Which traffic matches them
o How to process traffic that matches
• When packet for new IP session arrives,
FortiGate looks for matching policy
o Only first matching
policy applies
o Starts at top of list
• Implicit deny
o No matching policy?
FortiGate drops packet
4
What Are Firewall Policies?
• Policies define:
o Which traffic matches them
o How to process traffic that matches
• When packet for new IP session arrives,
FortiGate looks for matching policy
o Only first matching
policy applies
o Starts at top of list
• Implicit deny
o No matching policy?
FortiGate drops packet
5
How Are Policy Matches Determined?
Authentication
6
Policy List: Section View
7
Policy List: Global View
8
Adjusting Policy Order
9
Components & Policy Types
10
Simplify: Interfaces vs. Zones
Incoming Outgoing
11
Matching by Source
12
Device Identification
13
Device Identification: Agent-based vs. Agentless
with FortiClient Agent
FC
FC
DMZ INTERNET
Agentless
Identification Techniques
• Agentless • Agent Based
o TCP Fingerprinting o Uses FortiClient
o MAC address vendor codes o Location & Infrastructure Independent
o HTTP user agent
o Requires “direct” connectivity to FortiGate
14
Device Identification: Device List (GUI)
15
Device Identification: Agentless Device List (CLI)
16
Device Identification: FortiClient Device List (CLI)
17
Endpoint Control
18
Endpoint Control
19
Endpoint Control
20
Endpoint Control
• FortiClient profile
21
Endpoint Control
22
Endpoint Control
23
Simplify: Groups of Sources/Services
24
Example: Matching Policy by Source
25
Implicit Fall Through
• “If this authentication policy does not match, try the next”
o Previous firmware used an identity policy
o Flows that failed authentication with 1st matching authentication policy
were blocked unless the option ‘fall-though-unauthenticated’ was
enabled, causing FortiGate to try subsequent authentication policies
26
Matching by Destination
27
Scheduling
o One-time
• Happens only once
28
Matching by Service
29
Object Usage
30
How Packets are Handled: Step 1
Phase 1 - Ingress
• Denial of service (DoS) sensor
• Packet integrity check
• IPSec tunnel match
• Destination NAT
• Routing
31
How Packets are Handled: Step 2
Phase 1 - Ingress
• Denial of service (DoS) sensor
• Packet integrity check
• IPSec tunnel match
• Destination NAT
• Routing
Phase 2 - Stateful Inspection
• Management traffic
• Policy lookup
o Session tracking
o Session helpers
o SSL VPN
o User authentication
o Traffic shaping
32
How Packets are Handled: Step 3
33
How Packets are Handled: Step 4
34
Logging
Accept Deny
35
Monitor
36
Session Table
37
Session TTL
38
Session Table: TCP Example
39
TCP States
State Value
NONE 0
ESTABLISHED 1
SYN_SENT 2
SYN & SYN/ACK 3
FIN_WAIT 4
TIME_WAIT 5
CLOSE 6
CLOSE_WAIT 7
LAST_ACK 8
LISTEN 9
40
diagnose sys session
• Like debug flow, the session table also indicates policy actions
o Clear any previous filter
diagnose sys session filter clear
o Set the filter
diagnose sys session filter ?
dport destination port
dst destination IP address
policy policy id
sport source port
src source ip address
o List all entries matching the configured filter
diagnose sys session list
o Clear all entries matching the configured filter
diagnose sys session clear
41
diagnose sys session
42
Network Address / Port Translation
Source IP address
Source port
43
Network Address / Port Translation: NAT
11.12.13.14
Firewall policy
with NAT enabled
wan1 IP address: 200.200.200.200
wan1
200.200.200.200
Source IP address:
internal 200.200.200.200
Source port: 30912
10.10.10.10
Destination IP address:
11.12.13.14
Source IP address:
Destination Port: 80
10.10.10.1
Source port: 1025
Destination IP address:
11.12.13.14
Destination Port: 80
44
Network Address / Port Translation: IP Pool
11.12.13.14
Firewall policy
with NAT + IP pool enabled
wan1 IP pool: 200.200.200.2-200.200.200.10
wan1
200.200.200.200
Source IP address:
internal 200.200.200.?
Source port: 30957
10.10.10.10
Destination IP address:
11.12.13.14
Source IP address:
Destination Port: 80
10.10.10.1
Source port: 1025
Destination IP address:
11.12.13.14
Destination Port: 80
45
IP Pool Type: One-to-One
46
IP Pool Type: Fixed Port Range
47
IP Pool Type: Port Block Allocation
• Type port block allocation assigns a block size & number per
host for a range of external IP addresses
o Using a small 64 block size and 1 block
hping --faster –p 80 –S 10.200.1.254
48
Virtual IPs (VIP)
49
Network Address / Port Translation: VIP
wan1
Source IP address:
internal
11.12.13.14
10.10.10.10
Destination IP address:
200.200.200.222
Destination Port: 80
50
Network Address / Port Translation: Central NAT
51
Session Helpers
52
Session Helpers: SIP Example
172.16.1.1 201.11.1.3
172.16.1.2
Media traffic to Media traffic to
172.16.1.2, port 12546 201.11.1.3, port 12546
53
Traffic Shaping
54
Traffic Shapers
Guaranteed Bandwidth
Maximum Bandwidth
Guaranteed Bandwidth
Guaranteed Bandwidth
Maximum Bandwidth Maximum Bandwidth
Guaranteed Bandwidth
Maximum Bandwidth
55
NP Session Offloading & Packet Forwarding
Not ASIC-compatible:
First packet in IP When session ends, or
Session remains with
session handled by OS if errors, NP returns
CPU
kernel (CPU) session to CPU
(“slow path”)
ASIC compatible:
Kernel offloads session
to specialized NP,
freeing CPU…
(“fast path”)
56
Security Profiles
57
Proxy vs Flow: Proxy-Based Scanning
• Transparent proxy
buffers file as it arrives
• Once transmission is
complete, FortiGate
examines file
o No action until buffer is full
or file is finished
• Communication is terminated
on Layer 4
o Proxy initiates secondary
connection after scan
58
Proxy Options
59
Proxy vs Flow: Flow-Based Scanning
• File is scanned on a
TCP flow basis as it
passes through FortiGate
o IPS engine
• Faster scanning,
but lower accuracy
• Requires more signatures
than proxy-based techniques
60
SSL/SSH Inspection
61
Debugging Firewall Policies
62
Packet Capture (CLI)
63
Example: Packet Capture
64
Packet Capture (GUI)
65
Packet Flow
66
diagnose debug flow (Output)
67
Combining Packet Traces and Flow
interfaces=[any]
filters=[host 10.200.1.254 and port 80]
51.685869 port3 in 10.0.1.10.58376 -> 10.200.1.254.80: syn
3479847099
51.937927 port3 in 10.0.1.10.58378 -> 10.200.1.254.80: syn
1978227929
54.679653 port3 in 10.0.1.10.58376 -> 10.200.1.254.80: syn
3479847099
54.930621 port3 in 10.0.1.10.58378 -> 10.200.1.254.80: syn
1978227929
o Better
• Setup the debug flow, then start the sniffer
68
Debugging Firewall Policies: debug flow & sniffer
69
Review
70
Labs
(OPTIONAL)
• Lab 2: Traffic Log
» Ex 1: Enabling Traffic Logging
71
Classroom Lab Topology
72